Florian I'm happy to look at this now with you
But based on the old discussion I'm not certain I'm happy with the
final result.
IMO - here's what we need in these:
1) If you specify nothing, you should get the default.
2) If you specify a CAfile, and there is no failure in loading it,
you should get that.
3) If any failure occurs in either case 1 or case 2 the program
should fail. Do not continue with something else.
Try for the above
On Fri, Apr 1, 2016 at 5:29 AM, Florian Zumbiehl <fl...@florz.de> wrote:
> Hi,
>
> it occured to me that this patch that I submitted quite a while ago still
> hasn't been merged and discussion about it back then got stuck due to a
> release being prepared or something--so, here I submit it again, though you
> might want to read the discussion on the thread from 2014 that I am
> replying to ...
>
> Regards, Florian
>
> --------------------------------------------------------------------------
>
> This is a fix for OpenSSL tickets #977 and #3213, loosely based on patch from
> Reuben Thomas from #3213.
> ---
> src/apps/s_client.c | 5 +++--
> src/apps/s_server.c | 10 ++++++----
> src/apps/s_time.c | 5 +++--
> 3 files changed, 12 insertions(+), 8 deletions(-)
>
> diff --git a/src/apps/s_client.c b/src/apps/s_client.c
> index f693d10..3ffedcc 100644
> --- a/src/apps/s_client.c
> +++ b/src/apps/s_client.c
> @@ -870,8 +870,9 @@ bad:
> if (!set_cert_key_stuff(ctx, cert, key))
> goto end;
>
> - if ((!SSL_CTX_load_verify_locations(ctx, CAfile, CApath)) ||
> - (!SSL_CTX_set_default_verify_paths(ctx))) {
> + if (!((CAfile || CApath) ?
> + SSL_CTX_load_verify_locations(ctx, CAfile, CApath) :
> + SSL_CTX_set_default_verify_paths(ctx))) {
> /*
> * BIO_printf(bio_err,"error setting default verify
> * locations\n");
> diff --git a/src/apps/s_server.c b/src/apps/s_server.c
> index 3f71740..9a20deb 100644
> --- a/src/apps/s_server.c
> +++ b/src/apps/s_server.c
> @@ -1167,8 +1167,9 @@ bad:
> #endif
>
>
> - if ((!SSL_CTX_load_verify_locations(ctx, CAfile, CApath)) ||
> - (!SSL_CTX_set_default_verify_paths(ctx))) {
> + if (!((CAfile || CApath) ?
> + SSL_CTX_load_verify_locations(ctx, CAfile, CApath) :
> + SSL_CTX_set_default_verify_paths(ctx))) {
> /* BIO_printf(bio_err,"X509_load_verify_locations\n"); */
> ERR_print_errors(bio_err);
> /* goto end; */
> @@ -1222,8 +1223,9 @@ bad:
> else
> SSL_CTX_sess_set_cache_size(ctx2, 128);
>
> - if ((!SSL_CTX_load_verify_locations(ctx2, CAfile, CApath)) ||
> - (!SSL_CTX_set_default_verify_paths(ctx2))) {
> + if (!((CAfile || CApath) ?
> + SSL_CTX_load_verify_locations(ctx2, CAfile,
> CApath) :
> + SSL_CTX_set_default_verify_paths(ctx2))) {
> ERR_print_errors(bio_err);
> }
> if (vpm)
> diff --git a/src/apps/s_time.c b/src/apps/s_time.c
> index 960ba4e..4dbd906 100644
> --- a/src/apps/s_time.c
> +++ b/src/apps/s_time.c
> @@ -346,8 +346,9 @@ s_time_main(int argc, char **argv)
>
> SSL_load_error_strings();
>
> - if ((!SSL_CTX_load_verify_locations(tm_ctx, CAfile, CApath)) ||
> - (!SSL_CTX_set_default_verify_paths(tm_ctx))) {
> + if (!((CAfile || CApath) ?
> + SSL_CTX_load_verify_locations(tm_ctx, CAfile, CApath)
> :
> + SSL_CTX_set_default_verify_paths(tm_ctx))) {
> /*
> * BIO_printf(bio_err,"error setting default verify
> * locations\n");
> --
> 1.7.10.4
>
